I have a domain, example.com and want to support wildcard subdomains such as *.example.com on SSL.
My app is running on Google App Engine and hoping to use Cloudflare to proxy all the requests to my domain on SSL. Please note I'm on the Free plan of Cloudflare.
My question is whether I need to purchase a separate wildcard subdomain certificate apart from using Cloudflare's.
I want to enable Full (strict) SSL method on Cloudflare. My understanding was that I could install the Origin certificate issued by Cloudflare on GAE (so that GAE <-> Cloudflare is secure), and then use the universal SSL certificate issued by Cloudflare so that Cloudflare
<-> browser is secure. Is there a need to ever purchase a separate wildcard subdomain cert, or can I make use of (universal + origin certificates) Cloudflare's SSL entirely?
If my understanding above isn't correct and I need to purchase a separate SSL wildcard subdomain cert - once I upload this to GAE, is my connection from GAE to the browser secure from end-to-end ? Will the SSL on GAE be validated by Cloudflare and then it is able to proxy the wildcard subdomain requests on SSL ?
If anyone versed and knowledgeable in this area could help understand the flow, that would be really appreciated.
I'm familiar with Cloudflare but not GAE. For Full (Strict) you will have to have a cert that is valid for both example.com and *.example.com in both Cloudflare and your origin servers. Cloudflare will take care of the edge certificate that the browser/client will interact with.
As you assumed, the origin cert Cloudflare issues will work and will be free. When you ask Cloudflare to generate this, you can specify the domains, which should include example.com and *.example.com. Cloudflare will issue you a self signed cert for example.com with a SAN for *.example.com. The up side of this are that it's free and will have a long expiration time (if you want). The down side is that if you ever have to drop cloudflare or interact with the origin servers without cloudflare, the cert will not be signed by a root CA. These requests will generally fail in clients and browsers unless you specifically make client configuration changes to trust this cert, and certainly a random browser accessing this server will get a certificate error.
A root CA signed cert for example.com with a SAN for *.example.com will also work. The down sides of this is it will generally cost money unless you use a free service like letsencrypt. You will probably also have to renew this cert more often than a self signed cert and an expired cert will result in downtime in Full Strict mode. The up side of this is that generally any request you send directly to the origin servers will work, even in a random browser.
For me, I would go with root CA signed cert (even a free one if need be) so that if I absolutely had to drop cloudflare in an emergency, I could just switch DNS to the origin servers and still be okay. Only if I had some complete dependency on Cloudflare, like workers or DDoS protection would I go with the Cloudflare self signed cert.
Related
I have been trying to use my own SSL certificate on subdomains for my app in GAE. I have successfully created the certificate and was able to enable it for all but one subdomain.
Let's say my domain is domain.com. I was able to enable the SSL certificate for domain.com, www.domain.com, subdomain.domain.com but for some reason, www.subdomain.domain.com does not show in the list of potential custom domains for my certificate. In this situation, I can not access my website through https://www.subdomain.domain.com but can through https://subdomain.domain.com.
Also, I can activate a google managed certificate for this subdomain, making https://www.subdomain.domain.com accessible, but of course, this is not what I want. Any clue on how to make www.subdomain.domain.com visible in the domains list of my certificate in order to then be able to turn it on?
This post is reporting a similar issue than this one. Sadly, no one has provided an answer and I do not have enough reputation to comment on it...
Multi-level domains may be tricky. Starting with the type of the certificate obtained. From RFC 2818 (emphasis mine):
Names may contain the wildcard character * which is considered to
match any single domain name component or component fragment. E.g.,
*.a.com matches foo.a.com but not bar.foo.a.com. f*.com
matches foo.com but not bar.com.
I suspect this is what's causing your trouble. Google also mentions in App Engine support for SSL certificates:
Wildcard certificates only support one level of subdomain.
When trying the google-managed certificate the certificate is likely generated exactly for the respective domain, not a wildcard one, thus not having the problem mentioned in the above quote.
The only way I can think of to get this working is to obtain a separate wildcard certificate for the each domain level. But that could be a problem if you direct users to sites at different domain levels, as the certificate would change.
Personally I'd just arrange my domain names to be contained into just one domain level and avoid all these issues. Maybe with something like www-subdomain.domain.com instead of www.subdomain.domain.com?
According to Google Cloud docs, with ensuring your right permission in the GCP console and verified ownership on all parent domain, you can access subdomains with your custom certificate.
Example:
If the certificate is for www.example.com you can verify ownership of either www.example.com or example.com.
If the certificate is for www.example.com and sub.example.com you can either verify ownership of both www.example.com and sub.example.com, or of example.com.
If the certificate is for *.example.com you must verify ownership of example.com.
You can check this link, mostly the section mentioned
Using your own SSL certificates
I have an application where the client uses mutual SSL authentication through NGINX. So far, so good.
However, I want to move my project to Google App Engine and I need to use the same approach to valid the client, or at least, forward the client certificate to be validate in the application.
Is there some way to use mutual authentication on App Engine or other Google Cloud service?
Regards!
This might not be possible in GAE flexible environment because the SSL connections don't reach all the way to the actual application code. From Request limits:
SSL connections are terminated at the load balancer. Traffic from the load balancer is sent to the instance over an encrypted channel,
and then forwarded to the application server over HTTP. The
X-Forwarded-Proto header lets you understand if the origin request was
HTTP or HTTPs.
I didn't find such mention about the standard env GAE, so I'm unusure if the same applies there or not.
Is my app secure with Google App Engine without my own SSL Certificate?
I ask because I've just gone through the process of using Letsencrypt to create an SSL cert and apply it to my App Engine project with a custom domain - myapp.com
Now, I also a development environment which is at myapp.appspot.com. While configuring the app.yaml files with secure: always, I accidentally deployed the dev app before creating the certificates and I noticed it was secured!
I thought this could be an appspot.com thing, so I removed the certificates from my live app and it is still showing as secured...
So the question is, does App Engine have some sort of built-in SSL and thus, do I need to bother with my own certs???
Yes, your app at appspot.com is secure. However, if you wish to use a custom domain then you must get an SSL certificate. Here you can find instructions on how to use a custom SSL certificate for a custom domain with appengine.
I have an app engine app and I enabled SSL for it (without an own certificate) and it works for the appspot-url like https://myApp.appspot.com. Now I want to use my custom domain like myDomain.com with SSL (e.g. https://myDomain.com). Is this possible without an own certificate like with the appspot domain? I followed this guide (https://developers.google.com/appengine/docs/ssl?hl=de) and it talks about uploading a certificate. Is that an optional or a mandatory step?
Because if I try to access my domain, I always get an SSL error
Uploading a certificate is mandatory if you want to use SSL for a custom domain. You can find details on SSL handshake at [1].
[1] - http://www.pierobon.org/ssl/ch2/detail.htm
Is there any way to specify a list of trusted certificate authorities when making HTTPS request from Python on App Engine?
Alternately, is there any other way to secure (against sniffing, replay, MITM, etc) App Engine communication with a 3rd party server without involving a 3rd party CA?
Not currently. You can choose whether or not to validate the host certificate, but you cannot choose which root certificates are accepted.